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Abstract — We expand on our work on Quantum Data Hid- 
ing [pj — hiding classical data among parties who are re- 
stricted to performing only local quantum operations and 
classical communication (LOCC). We review our scheme 
that hides one bit between two parties using Bell states, 
and we derive upper and lower bounds on the secrecy of 
the hiding scheme. We provide an explicit bound showing 
that multiple bits can be hidden bitwise with our scheme. 
We give a preparation of the hiding states as an efficient 
quantum computation that uses at most one ebit of entan- 
glement. A candidate data hiding scheme that does not use 
entanglement is presented. We show how our scheme for 
quantum data hiding can be used in a conditionally secure 
quantum bit commitment scheme. 

Keywords — Quantum Information Theory, Secret Sharing, 
Quantum Entanglement 



I. Introduction 

It is well known that composite quantum systems can 
exhibit a variety of nonlocal properties. When two sys- 
tems are entangled, as when two spins are described by the 
singlet state "^(|01) — local measurements on the 

two particles separately can exhibit statistics unexplain- 
able by local hidden variable theories, such as a violation of 
' Bell's inequalities |^ . An information-theoretic or compu- 
, tational expression of this feature is that entangled states 
' can function as nontrivial resources in quantum commu- 
I nication protocols Q , for example reducing the amount 
' of classical communication needed to perform certain dis- 
, tributed computations. 

It has been found that even states without quantum en- 
, tanglement can exhibit properties of nonlocality that are 
' not present in purely classical systems. The first explo- 
, rations in this direction were carried out by Peres and 
Wootters |Q] , who studied the measurements that could 
optimally distinguish three nonorthogonal quantum states 
of which two parties, Alice and Bob, both possess a single 
copy. They found that any measurement that can be per- 
formed using a sequence of local operations supplemented 
by classical communication between the parties (denoted 
as LOCC) is not able to retrieve as much information as a 
global measurement carried out on the joint system. Thus, 
even though no entanglement is present in this system, the 
states exhibit nonlocality with respect to their distinguisha- 
bility. In Ref. where the term 'quantum nonlocality 
without entanglement' was coined, a similar phenomenon 
was exhibited: it is impossible to use LOCC to perfectly 
distinguish nine orthogonal bipartite product states, which 
are perfectly distinguishable when nonlocal actions are al- 
lowed. 

The results that we have presented in Ref. and on 
which we expand in the present paper, can be viewed as the 
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strongest possible separation between the power of LOCC 
versus global operations for the task of distinguishing quan- 
tum states. We use the nonlocality of our quantum states 
to establish a protocol of quantum data hiding: a piece of 
classical data is hidden from two parties, who each share 
a part of the data and are allowed to communicate classi- 
cally. Such a scheme is nontrivial in several respects. First, 
it is impossible in a purely classical world. Second, it is 
impossible if the state shared by the two parties is a pure 
quantum state. This observation follows from the result by 
Walgate et al. ^ which shows that any two orthogonal bi- 
partite pure quantum states can be perfectly distinguished 
by LOCC. Third, the scheme is extremely secure; it is pos- 
sible to make the amount of information obtainable by the 
parties arbitrarily small; the number of qubits needed is 
only logarithmic in the information bound. 

The quantum data hiding scheme is secure if the parties 
Alice and Bob cannot communicate quantum states and 
do not share prior quantum entanglement. In what kind of 
situations can these conditions be met, and is our scheme 
of interest? One can imagine a situation in which a third 
party (the boss) has a piece of data on which she would like 
Alice and Bob (some employees) to act by LOCC without 
the sensitive data being revealed to them. We have to as- 
sume that the boss controls (1) the channel which connects 
the two parties and (2) the labs in which the employees 
operate, so that the boss can use dephasing to prevent the 
quantum communication and to sweep those labs clean of 
any entanglement prior to operation. Our scheme is such 
that at some later stage, the boss can provide the employ- 
ees with entanglement to enable them to determine the se- 
cret with certainty. This feature is used for a conditionally 
secure bit commitment scheme. 

An additional advantage of our scheme, besides its 
information-theoretic security, is that it can be imple- 
mented efficiently; the number of computation steps re- 
quired, both classical and quantum, grows no faster than a 
polynomial of the input size. We find an efficient algorithm 
to prepare the data hiding states which also minimizes the 
use of quantum entanglement. The algorithm hinges on a 
surprising connection between an operation known as the 
Full Twirl and a Twirl over the Clifford group g. The 
Full Twirl is an important operation in the study of entan- 
glement while the Clifford group is an important discrete 
group in the theory of quantum error correction. 

An original goal in our investigations was to establish a 
data hiding scheme in which a bit could be hidden from 
LOCC observers, and the data hiding states are unentan- 
gled; this would have formed an extremely strong example 
of 'nonlocality without entanglement'. Separable (unen- 
tanglcd) hiding states are interesting also because the se- 
curity for hiding a single bit implies directly that hiding 
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independently distributed multiple bits is also secure. The 
quantum data hiding protocol using Bell states does not en- 
tirely achieve this goal, since it still requires a small amount 
of entanglement. We propose an alternative quantum data 
hiding scheme that uses unentangled hiding states. We can 
only rigorously analyze this scheme for small systems, but 
on the basis of this analysis, we conjecture this scheme is 
secure, in the same way as the scheme using Bell states. 

Our paper is organized in the following way. In Section 
^ we review the general setup that is needed to analyze 
the problem of distinguishing a pair of states by LOCC. 
We derive a condition for any LOCC measurement that 
attempts to distinguish a pair of states. A related condition 
has also been discussed in Ref. In Sections [11-^ we 
discuss various aspects of the security of our quantum data 
hiding protocol: In Section III we discuss the scheme for 
hiding a single bit. This scheme was first presented and 
proved secure in Ref. 0] . Our analysis here goes into more 
detail. Furthermore, in Section [II-C we show that the 



sentation 10 



bound on the retrievable information is fairly tight - we 
find a simple LOCC measurement that retrieves an amount 
of information close to our proved bound. In Section we 
digress to show a general result, on how well a single bit can 
be hidden in two arbitrary orthogonal bipartite states. We 
obtain a lower bound on the retrievable information, which 
shows in another way that our scheme has nearly optimal 
hiding capability. In Section ^ we extend our protocol 
to hide A: > 1 bits. We are able to prove a good upper 
bound on the information retrievable by LOCC, exploiting 
the symmetry of our hiding states. 



In Sections VI TX, we present various schemes and dis- 



cussions related to our quantum data hiding protocol: In 
Section we present an efficient algorithm to prepare the 
data hiding states which also minimizes the use of quan- 
tum entanglement. We also prove the equivalence of the 
Full Twi rl and the Twirl over the Clifford group. In Sec- 
tion VII, we discuss the reason that the security for hiding 



a single bit implies the security for hiding independently 
distributed multiple bits, and we describe an alternative 
scheme for hiding bits that uses unentangled hiding states. 



In Section VIII , we apply the quantum data hiding scheme 



to construct a conditionally secure quantum bit commit- 
ment protocol. We conclude our paper with some discus- 
sion and open questions in Section IX. 

The discussion up to Section III-B is a prerequisite 
for all other Sections, which can then be read indepen- 
dently. Throughout the paper, the tensor product of two 
d-dimensional Hilbert spaces is denoted as Hd <8) Ti.d, and a 
positive semidefinite matrix or operator A (with nonnega- 
tive eigenvalues) is denoted as A > 0. 

II. General formalism for operations to learn 

THE SECRET 

In quantum mechanics, a large class of state changes can 
be described using the formalism of quantum operations. A 
quantum operation is a completely positive map [|lO|, 
on operators in a Hilbert space Ti.. A convenient represen- 
tation of a quantum operation is the operator-sum repre- 



(1) 



where Sk are operators acting on H. We restrict our dis- 
cussion to trace preserving quantum operations, for which 
J2k '^I'^k — I- The adjoint of the quantum operation S is 
S\ whose action can be expressed as S^[p] = J^k^kP'^k- 
A state is represented by a density operator p > with 
unit trace. A rank one density matrix, p = is called 

pure and is often represented as a Hilbert-space vector \^). 

We will consider bipartite density matrices held by two 
parties Alice and Bob. Peres and Horodecki et al. 
have introduced a test for the separability of such bipartite 
density operators, which we will use throughout this paper. 
Their criterion is satisfied by a density matrix p when {\a® 
Tb)[p] > 0, where Tb stands for matrix transposition in 
any chosen basis for Bob's Hilbert space, and 1a is the 
identity operation on Alice's Hilbert space. We will say 
that such a density matrix p is PPT, positive under partial 
transposition. 

Our goal is to hide classical data in bipartite mixed 
states, meaning that Alice and Bob cannot learn the secret 
if they do not share entanglement and can only perform 
quantum operations in the LOCC class. An LOCC quan- 
tum operation S has the Peres- Horodecki property, or P-H 
propert'^ if p is PPT then [1a2,B2<SiSai,bi)[p] is also PPT. 
The subscripts in this expression emphasize that S may act 
only on part of the bipartite Hilbert space A\,A2/B\,B2 
on which p exists. (This extension to larger Hilbert space 
parallels the definition of complete positivity of quantum 
operations.) While the LOCC class is highly non-trivial to 
characterize the P-H property itself is much simpler 
to check, and we will use this to derive necessary condi- 
tions for LOCC operations. In our analysis we bound the 
information Alice and Bob can obtain if they could use any 
quantum operation satisfying the P-H property. 

Since Alice and Bob are only interested in obtaining 
classical data, we can restrict our attention to quantum 
operations that yield classical outcomes only. These oper- 
ations are called POVM (Positive Operator Valued Mea- 
sure) measurements [Q, [0. A POVM measurement is 
characterized by a set of positive operators Mi such that 
the outcome i occurs with probability Tr(Mi/o). The trace 
preserving condition requires that Mi = I. The set 
{Mi} is called a POVM, and each Mi a POVM element. A 
POVM measurement on a bipartite input is illustrated in 
Fig. [1(a). 

Extending the discussion in Ref. |Q| , we now derive a nec- 
essary condition for a POVM measurement to satisfy the 
P-H property (and therefore, to be LOCC): each POVM 
element is PPT]] 

To show this, suppose Alice and Bob each create a max- 



imally entangled state, 



T^ESLo 1^0. in their 



^Rains_calls operations with this property p.p.t. superoperato 
Section |X| for further discussion. 
^This is also sufficient, see Section 
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laboratories. The complete state held by Alice and Bob is 
a product state and is thus PPT. Then, they apply the 
POVM measurement on Hd ^ "Hd to the two halves of 
the two maximally entangled states, as shown in Fig. ||(b). 
Suppose outcome i is obtained; then the residual state in 
the two unmeasured halves is proportional to 

d-l 

Pf X! I^>J>("^>"'I Tr[Mi |;, j)(TO,n|] 

/j',m,n— 
d-l 

= {l.3\Mf\m,n)\l,3){m,n\ = Mf , (2) 

/j",m,n— 

where Mf is the matrix transpose of Mi. Thus, mea- 
surement outcome i is produced together with the state 
/Tr (Mi) in the unmeasured halves of the maximally 
entangled states. In order for the POVM to have the P-H 
property, each of these states must be PPT; this establishes 
that each , and therefore each Mi, must be PPT. 

In general, we consider all possible POVMs with PPT 
elements. However, if we are only interested in the prob- 
abilities of the outcomes and our data hiding states have 
certain symmetries, then it suffices to consider a class of 
POVMs reflecting those symmetries. 

More specifically, suppose the secret b is hidden in the 
global bipartite state pb- Consider a POVM with PPT el- 
ements Mi. The conditional probabilities of obtaining the 
outcome i when the secret is b is given by — TT{MiPb). 
If T is a trace preserving quantum operation that is LOCC, 
then is unital {T^I] = I), and the operators T^Mi] 
satisfy Y^- [M,] = / and form another POVM with PPT 
elements (since satisfies the P-H property). More- 
over, if T fixes all pb (i.e., T[pb] = pb), the new POVM 
induces conditional probabilities p'-^f^ — Tr(T^ [Mijpt) = 
Tr(A/iT[/9(,]) = pi\b which are equal to those induced by 
the original POVM. Hence it suffices to restrict ourselves 
to POVMs with elements T^M,] > that are PPT and 
sum up to /. Each quantum operation T that we will en- 
counter reflects the symmetries in the data hiding states, 
expressed by the fact that T fixes the states. The POVM- 
elements T^fM^] will possess symmetries that arise from 
the symmetries of pb, which can greatly reduce the number 
of independent parameters needed to specify the POVM. 
This will lead to a significant simplification in the security 
analysis of our protocols. 

III. Hiding a bit in mixtures of Bell states 

In this section, we describe the basic scheme to hide a bit 
in a mixture of Bell states. This is an in-depth discussion 
which extends our earlier work . We also detail the proof 
of security, and discuss both the upper and lower bounds 
of the information obtained about the secret. 

A. The single-bit hiding scheme 

The classical bit b = 0, 1 is hidden in the two hiding 
states Pq"'' and p^"'' . The bit should be reliably retrievable 
by a quantum measurement; therefore, the states /Jq"' and 



p^"'' are required to be orthogonal, Tt{p'^' p''" 

(n) 

pI operates on 7^2" fX" 7^2" and n is a security parameter. 
Hence, Alice and Bob each has n qubits. 



0. Each 



Po"^ and p^"^ are chosen to be 



and 



(«) 
Ph 



(n) 
Pi 



lOnI 



(3) 



(4) 



keo„ 



Here, jwk) denotes a tensor product of n Bell states labeled 
by the 2n-bit string k, with the usual identification between 
the four Bell states and two-bit strings 0|: 



|10» 



^ 00, 
^ 10. 



|10» 



01; 
11. 



(5) 



In Eqs. (^) and (Q), £'„ is the set of 2n-bit strings k such 
that the number of 11 pairs, i.e. the number of singlet Bell 
states, in k, denoted as A'^ii(k), is even. On is the set of 
bit strings k such that A^ii(k) is odd. The cardinalities of 
En and On, \En\ and \0n\, satisfy the recurrence relations: 



\En\ = \En-l\\Ei\ 
\On\ - |S„-l||Ol| 



|0n-l||0l|, 
\On-l\\Ei\, 



which imply 

\En\ - \0n\ = {\En-l\ - |0„-l|) {\E,\ - \0i\) . 

Since | - |Oi | = 3 - 1 = 2, \En\ - |0„| = 2" and 
\En\ = (22" + 2")/2 , \On\ = (22" - 2")/2 . 



(6) 



(7) 



(8) 



If Alice and Bob can perform nonlocal measurements, 
then they can simply distinguish pg"' from pj"'* by mea- 
suring along the Bell basis and counting the number of 
singlets. For example, if they share n ebits, then Alice can 
teleport her n qubits to Bob; he then measures the n pairs 
along the Bell basis. 



B. Upper bound on the attainable information 



A general LOCC measurement to distinguish p^l is spec- 
ified by two PPT POVM elements Mo,i, both acting on 
7^2" 'S) 7^2"- For the optimal conditional probabilities, it 
suffices to restrict to Bell diagonal POVM elements: 



(9) 



with Q!s,/5s > and as 
Tp^ be the Partial Twirl 



: 1 for all s. To see this, let 
operation on n qubits 



TvAp]^ 



--E 



(10) 



where Vn is the hermitian subset of the Pauli group Vn- 
The elements of Vn are tensor products of the identity and 
Pauli matrices ax \ <Jy ^ and crp'' acting on the j-th qubit. 
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with additional ±1, ±i factors. Xp = T2 is in the LOCC We combine Eq. with Eq. (|l|) to obtain 



class; to implement Tp , Alice and Bob agree on the same 
random P and apply P to their respective systems. 

We now show that the effect of Tp is to remove the 
off-diagonal elements in the Bell basis. On one qubit, Tp^ 
transforms the Bell states according to 



CTcicskfeifeJ = (-1) ■ 



fel-C2ffifc2-Cl 



\Wk^k2) 



(11) 



In this notation, fci 2 are the two bits labeling the Bell state 
as defined in Eq. (^), and ci^2 are the two bits labeling the 
Pauli operators: / ctoo, cf-x cio, ctz ctqi, Oy 
CTii. When applying Tp to an arbitrary n-qubit state, 
the phase factor in Eq. assures that all off-diagonal 
components in the density matrix are cancelled out when 
we average over Vn- Moreover, Tp fixes both p^^^ since 
they are both Bell diagonal. Following the discussion at 
the end of Section ||, it suffices to consider 7^ [Mi] which 
are Bell diagonal, as given by Eq. (||). 

With the simplified form of Mq and Mi, their partial 
transposes can be evaluated directly. Using the fact that 
\ws) — ((Tg ® /)|wo), we find that 

(l0T)[Mo] 

= (1(g) T) ^as(crs®/)|wo)(wo|(crs®/) 

'- S 

= ^ as(crs ® /)(1 «) T)[\iiJo){wo\]{<J^ ® I) 

S 

= ^E"«(-l)'^"^''^l^k®s)(w;k®s|. (12) 

s,k; 

Hence, (1 ® T)[Mq\ = M^"^ is diagonal in the Bell basis, 
and Afo is PPT if and only if 

Vm {w^\MP^\w^) >0. 

Since Mi = I - Mq, Mi is PPT if and only if 

Vm {Wrr,\M[^\Wm) < 1. 

These PPT conditions for m = 00 ... require 

< Xl"-(-l)^"^'^ ^ 2", 



or 



(13) 
(14) 

(15) 
(16) 



sG-E„ seo„ 

We are now ready to use the expressions for po|o and Pi|i: 



Po|o = Tr/?{)"^A/o 



22" 



22" 



2 



221 



Ed 



(17) 



< ^(1 + 2-")po|o + ^(1 - 2-")(pi|i - 1) < 2-" , (18) 



or rearranging terms. 



1 - 2- 



< 



1-^2- 



■Po|o 



1 - 2- 



■Pi\i 



< 



1 + 2- 



(19) 



2-2 2 - 2 

Equation ( [l9| ) puts linear constraints on (po|OjPi|i) as de- 
picted in Fig. H, from which we find 

bo|o + Pill - 1| < < 2-("-i) . (20) 



Equation ( pO| ) implies that the measurement is not infor- 
mative when n is large, since a coin flip without the state 

achieves Po|o +Pi|i 1- 
We now outline how to quantify the amount of informa- 
tion about the hidden bit that can be retrieved by Alice 
and Bob. In general, Alice and Bob will have obtained, by 
their measurements and operations, a multistate outcome 
from which the final outcome is inferred. This corresponds 
to the following process 



(21) 



where y is a multistate random variable representing the 
outcome of the general LOCC measurement A4 and V is 
a decoding scheme to infer the bit b from Y. In princi- 
ple, Y can contain more information about the hidden bit 
than the final inferred outcome, since information can be 
lost when decoding from a multistate random variable to 
a binary one. In Appendix we show that any multi- 
state random variable Y obtained in a scheme such as in 
Eq. ( |2l| ) under the condition of Eq. ( pO| ) conveys at most 
i7(B)/2"-i bits of information on B. Here H{B) is the 
Shannon information of the hidden bit. In other words, 
I{B : Y) < H{B)/2'^~^ , and only a vanishing fraction of 
the Shannon information of the hidden bit can be obtained. 

We have given an elementary proof of Eq. (|2^) . We now 
give an alternative proof that is more easily generalized to 

(n) 

hide multiple bits. This proof uses the fact that pl are 
two extremal Werner states llTfl: 



(«) 
Po 



in) 
Pi 



1 



2"(2" + 1) 



2" (2" - 1) 



(/ + 2"i7„) , 
(/-2"i7„), 



(22) 
(23) 



where 



i/„ = ((l®T)[|$+)(cI>+|])^" = ii^ P^P, (24) 



2 4" 



Pev„ 



with P ranging over the hermitian subset Vn oiVn- (Equa- 
tion ( p^ will be proved in Section VI, see Eq. (fz^.) 
Equations ( p^ ) and (^3|) can be proved by induction us- 
ing Eq. ( |2^ ) and the recursive expressions of pg"'' and pj"-* : 



sGO„ 



(n) 

Po 

(n) 
Pi ^ 



(n-1) ^ (1) 
qn Pi «> Pi 



(1 



X (n-1) ^ (1) 
qn) Po '®Pq' 



("- 
Pn Pq 



+ (1-Pn) 



(n- 
Pi 



(25) 
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where 



"in— 1 



qn = 



2(2" + 1) 



Pn 



2(2" - 1) 



(26) 



An) 



It is known that / and Hn, and therefore p'f^'' , are invariant 
under the bilateral action U ®U for any unitary operation 
U S C/(2"). Hence are fixed by the Full Twirl opera- 
tion: 



1 



Yo\{U) 



dU{U®U) p{U^ ®U^). (27) 



Like the partial twirl , the Full Twirl is also self-adjoint 
and in the LOCC class. Moreover, it is also known that the 
effect of the Full Twirl is to turn any operator into a linear 
combination of / and iJ„ [0 • Following the discussion in 
Section 0, when considering the conditional probabilities, 
Mq and Ml can be taken to be 



Using 



we find that 



and 



Mo = al + P 2" Hn , 

Ml = {l-a)I-P 2"7J„ . 

Tr(iJ„) = l, Tr(i/2)^i, 

Po\o = a + P, 

Pi\i = (l-a)+/3, 



(28) 
(29) 

(30) 



Po|o+Pi|i = 1 + 2/3. (31) 

A bound on the above expression can be found by extrem- 
izing the value of /3 subject to the constraint that Mq i 
in Eq. (|2|) are positive and PPT. From Refs. @ 
we know that an operator al + fe2"iJ„ has nonnegative 
eigenvalues and is PPT if — ^ < b < a. Applying the 
constraints to Eq. (^sh, we have 



a — 1 < P < a , 



a 1 ~ a , , 

On — ^ — 2" 



Eliminating a from the above inequalities, we obtain |/3| < 



2" -1-1 



and thus 



bo|o + Pi 



ll 



II < 



1 ' 



(33) 



which is what we set out to prove. 



C. A tight LOCC measurement scheme 

We can give a lower bound on the attainable value of 
Poio+Pili"! by analyzing a particular LOCC measurement 
scheme to distinguish pg"'' from p^"'* . In this scheme, Alice 
and Bob try their best to distinguish whether each Bell 
pair is a singlet state or not; then they take the parity of 
all the results. The pairwise strategy is for Alice and Bob 
to measure their qubits in the {|0), |1)} basis, and to infer 
a singlet whenever the results disagree. For each pair, this 
gives conditional probabilities 



(1) _ f (1) - 1 
^'o|o ~ 3 ' ^'iii ~ ^ 



Using Eqs. (|25|) and (P6D, we can immediately write the 
conditional probabilities of interest for the n-pair measure- 
ment: 



(«) 
Po\o 



(n) 
Pl\l 



(1 - Qn) 

+ 

(l-Pn) 
+ Pn 



(1) (ri-1) 

^'olo Po\o 



(1) (n-1) 

^•110 Pl\0 



(1) (n-1) _^ (1) (n-1) 



Po|i Po|i 



Pl\l Pl\l 



(1) (n-1) 

Polo Pl\l 



(1) (n-1) 

'Pi\o Po\i 



(1) (n-1) 

Po\i Pl\0 



(1) (n-1) 

Pi|i ^'olo 



(35) 



It is easy to confirm that these expressions are satisfied by 



(n) 

^'olo 

(n) 
Pl\l 



12" -I- 2 
2 2" -f 1 

1 2" 

2 2" - 1 



(36) 



This set of {pI^q^P^I) is plotted in Fig. ||as point D. Note 
that, for all n, they saturate the last inequality of Eq. (^ 
and therefore our security result is tight for this value of 
{po\o,Pi\i)- Because of convexity, this gives a tight result 
along the full line segment connecting point D with the 
point A = (1,0). 

IV. General lower bound for hiding a single bit 

Now we show that some information can always be ex- 
tracted when orthogonal hiding states po,i are used. The 
intuitive reason is that state tomography can be performed 
by LOCC. Given a large number of copies of pt, it is pos- 
sible to identify pt and thus b. Therefore, each copy must 
carry a non-zero amount of information. The precise state- 
ment is the following: 

Theorem 1: For all pairs po,i on 7^2" <8) 7^2" such that 
Tr(yOoPi) — 0, there exists a two-outcome LOCC measure- 
ment such that 

Po|o + Pi|i - 1 > _~ \/^ + '^^"1" ~ ■ (^'') 



It is immediate that 



Po|o +Pi|i - 1 > 



1 



V16" - 1 



(38) 



These bounds are plotted for n = 1 and n = 2 in Fig. ||. 

In Appendix we give a proof of this Theorem using a 
Lagrange multiplier analysis, together with an alternative 
simple proof for the weaker result Eq. (|^. This bound 
is not necessarily tight; the proof of Theorem ^ gives no 
indication of whether or not the right hand side of Eq. ( ^7|) 
could be larger. However, its approximate behavior, i.e. 



Po|o +-P1J1 ~ 
Section |l|. 



1 > 



20(„ 



is in accordance with our findings in 



V. Hiding Multiple Bits 
In this section we will prove the security of hiding mul- 



(34) 

tiple bits bitwise with the scheme described in Section WU\ 
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Let b (61, 62, • 

hiding state is 



■ , 6fc) be a k-hit string to be hidden. The 



(n) 
Pb 



(39) 



1=1 



Showing the security of the bitwise scheme is nontrivial. 
First, one of the hiding states p^"^ is entangled (see Sec- 
tion Vi), and the entanglement in part of the system may 



help decode the partial secret in the rest of the system. 
Second, joint measurement on all k tensor product compo- 
nents may provide more information than a measurement 
on each component separately. The security of multiple-bit 
hiding is established using the symmetry of pp"'' and 
as captured by their Werner-state representation (Eqs. ( p2| ) 
and (H)). 

In the setup for hiding k bits, each POVM element Mi 

(n) 

has a A;-bit index i and acts on 7^2"'= <8) 7^2"'^ ■ Since is 
invariant under (^(2"))'^'^, Mi can be parametrized as 



1 Y 



(40) 



p— m:u)/^(m) — fc— p 



where ~ (S'jLi -^rT' Wh{m) is the Hamming weight 
of the fc-bit string m. Here mi denotes the Ith bit of m, 
= I and = Hn- The number of Hn in is thus 
WhiTca). With this parametrization the trace preserving 
condition Ali = I implies that 



(41) 



Next we consider the constraint (1 ® T)[Mi\ > 0. The 
partial transpose replaces the operator Hn by P+ = 
(|$+)($+|)»". Therefore we have 



4' V 



(42) 



P— m:Wh {m) — k—p 



where is a tensor product of the orthogonal projectors 
1 — P+ and P+ , such that P+ occurs where the A:-bit string 
m has a 1. Here the coefficients ^ are particular sums 
of the coefficients a' ^ of Eq. (En): 



^p,m - E E 

p<l<k n:ui^(n) = fc-l 

Ai(ni'Vmi) — l 



a, 



(43) 



The Boolean-logic condition on n in the summation, Ai(niV 
rrii) = 1, can be expressed in ordinary language by saying 
that the string n must have Os wherever the sting m has 
Os. A necessary (and, in fact, sufficient) condition for the 
positivity of Eq. ( ^2| ) is that these coefhcients ^J, ^ > 0. 
When p = k, this implies that 



(44) 



We will bound the coefficients aj, „ for all i, p and n. These 
upper and lower bounds. 



Lp < a^, „ < Up , 



(46) 



will be obtained recursively as we decrease p from k. The 



recurrence starts with Lk = and Uk = I, Eq. (45). Let 



us assume that we can determine Lp for p < k. Then Up 
directly follows, using the second equation in Eq. (PH): we 
have 

ai,n = -E<n<-(2'-l)^p, (47) 

or Up = —(2*^ — l)Lp for p < k. Then we need to determine 
Lp, which can be done using the PPT condition. We can 
express A^^^ > as 



ap,m > 



> - 



E E 

Ai(niVmi) = l 



a, 



p<l<k 



l-p 



Or, for p < k 



so, in terms of Lf. 



p<l<k 



-l + (2'=-l) J2 ^' 



p<l<k 

This recursion can be solved, giving 

k~p I 



k — p 
l-p 



(48) 



(49) 



(50) 



Lp = -^(l-2'=)'-i^(-l)^r,b-'=-^ 



1=1 



(51) 



which can be rewritten in terms of the Sterling numbers of 
the second type, {^}, as 



ip = -EV-i)'-^^!{'/} 



(52) 



Let us consider the probabilities Pi|b = Tr (Afipb)- Using 
the fact that Tri7„ = Tri?^ = 1, it can be shown that for 
m with Hamming weight k — p 



Thus 



or 



Tr {Xynpb) = 



Pi\b = E E 



p—0 m:u;/i (m)— A;— p 



(-^i)*^"" 

>,m 2n{k-p) ' 



(53) 



(54) 



Together with Eq. (|4|) we obtain for all i 



< alo < 1 . 



(45) 



Pi 



i|b = afe,o+E E 



,i (-1) 



b-m 



p—0 m:Wh{in) — k—p 



(55) 
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We bound the magnitude of the last term as 



With this we can write Eq. (M) as 



fc-i 



<A = (2'-l)EU-p)2^ 

p=0 ^ 

so we bound the conditional probabilities 



aLo - A < pi|b < alo + A. 



(56) 



(57) 



A enters the bound for the mutual information obtainable 
by Alice and Bob. Ideally we would like to use Eq. ( ^Tj ) 
to bound the retrievable attainable mutual information as- 
suming an arbitrary probability distribution for the hiding 

(n) 

states , as we did in the case of hiding a single bit. We 
do not know if the proof technique of Theorem || in Ap- 
pendix ^ is applicable in the multiple-bit case, so we will 
have recourse to another method which provides a bound 
in the case of equal probabilities Ph = ^■ 
We first bound the total error probability 



l-E^'bPblb = 1- 4E^b|l 



(58) 



Using Eq. ( p7| ) we get 

1 - ^ E«o + A) < < 1 - ^ - ^) ' (59) 

b b 

and, with Eq. (pi]), we obtain 
1 



1 



A < pe < 1 



(60) 



With this bound on the error probability it is possible to 
bound the mutual information between the k hidden bits b 
and a multi-outcome measurement by Alice and Bob, simi- 
larly to the single bit case, see Eq. (^l|). For a process such 
as Eq. (^) where B and B are replaced by k bit random 
variables B and B, it can be shown^ that the mutual in- 
formation /(B : Y) < H{B) + log(l - p^). Using Eq. (|o|), 
this implies that 



/(B:r)<-A. 



(61) 



Figure ^ shows an exact calculation of this bound as a 
function of n and k. We can show that these bound curves 
have a simple form in the region of interest by a further 
examination of Eqs. (|5^) and (|56|). It is straightforward to 
demonstrate that, if fc 3> 1, Eq. ( |5^ ) is dominated by its 
final term, so that we can approximate 



Lp«-(2'=-l)'=-f-i(fc-p)!. 

^This was proved by V. Castelli, October 2000. 



(62) 



E 

fe-1 

fc'E 



k\ {2^ - ly 



2^-^"-' 1 



(63) 



It is easy to show that if 2" ^ ^ k then the last term in 
this sum dominates, so we obtain 



AKik2 



k—n 



and Eq. (|61|) becomes 



/(B : Y) 



< k2 



2k- 



ln2 



(64) 



(65) 



The curves shown in Fig. ^ are excellently approximated 
by this expression. 

This result shows that if we fix fc, there always exists an 
n large enough so that the information that Alice and Bob 
can gain is arbitrarily small. Equation (^5|) says that, for 
a given security parameter /(B : Y) < e, n should grow, in 
the large k limit, as 



n{k) —t 2k + logfc + log log e + log(l/e) 



(66) 



It is interesting to note that the above bound is much 
weaker than in the case when information is additive over 
the different bits hidden, which would imply 

n(fc) ^ logfc + log(l/e). (67) 

Sufficient conditions for information to be additive will be 



discussed in Section VII-A 



VI. Preparation of the hiding states 

We consider the question of how the hider can efficiently 
produce the states Pq"^ and p^"'' starting with minimal en- 
tanglement between the two shares. The defining represen- 
tation of the states, Eqs. (^ and (^, suggests a method 
to create the hiding states by picking n Bell states with 
the correct number of singlets (even or odd). This method 
is computationally efficient, but uses a lot of quantum en- 
tanglement between the shares, namely n ebits per hiding 
state. The alternative representation of Pq"'' and p(^^ as 
Werner states, Eqs. (^) and (p3|), can be used to show 
that they have and 1 ebit of entanglement of forma- 
tion respectively [|l8|, [0. We first describe an efficient 
LOCC preparation for /Jq"'' from the unentangled pure state 
|0) = 10)*^" (g) |0)®". By efficient we mean that the number 
of quantum and classical computational steps scales as a 
polynomial in n, the number of qubits in each share. Then, 
using the recursive relations Eq. (Ea), and the preparation 
for Pq"'' , we give a preparation ioip^^ using exactly 1 ebit 
for arbitrary n. Note that this is a tight construction in 
terms of entanglement, since p["'' has an entanglement of 
formation of 1 ebit. 
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A. Preparing pg"-* 

Recall from Section ID that the Full Twirl 
1 



^C/(2")[P] 



Vol(J7) 



dU{U(8)U)p{U^ (8)U^), (68) 



has only two linearly independent invariants / and and 
it transforms any state to a Werner state. Moreover, note 
that 



Tr(T[;(2")[p]i^r! 



Tr(prJ(2„)[i?n]) 



Tr(pff„) . (69) 



Hence, the Full Twirl transforms p to a Werner state with 
the same overlap with i?„. From Eqs. ( p^ and (pof), 

Tr (^p[,"^iJ„) ^; this also equals Tr (|0) (0|i7„) using 

Eq. (H). Hence, 



(70) 



p(") = rt,(2„)[|o)(o|] , 

and Pq"'' could be prepared by applying 7^(2") to |0). 

The Full Twirl, interpreted as the application of a ran- 
dom bilateral unitary, is not efficient to implement. Ap- 
plying a unitary transformation selected at random is a 
hard problem: almost all unitary transformations take an 
exponential time in the number of qubits to accurately ap- 
proximate |21|. In the following, we give an efhcient im- 



plementation of the Full Twirl, first by showing that it is 
equivalent to randomizing over the Clifford group only, and 
second by providing methods to select and implement a 
random Clifford group element efficiently. 

A.l Chfford Twirl 

The Clifford group C has appeared in quantum infor- 
mation theory as an important group in the context of 
quantum error correcting codes The Clifford 

group Cn C C/(2") is the normalizer of the Pauli group 
Vn- The order of the Clifford group acting on n qubits is 
|C„| =2"'+2«+3H7^,(4^--l) [@. 

It is useful to consider how each c G C„ acts on Vn by 
conjugation. As the conjugation map is reversible, C„ is 
a subgroup of the permutation group acting on Vn- Each 
c is specified by the 2n images of the generators of Vn 
Ui — cat^ and hi = cai^ for i — 1,- • - ,71. There are 
restrictions on these images, since conjugation preserves 
the eigenvalues (and thus the trace), the commutation re- 
lations, and the multiplicative structure of the Pauli group. 
Because of eigenvalue preservation, conjugation preserves 
the hermitian subset Vn (introduced earlier, see Eq. (|l0|)). 
The images are In traceless hermitian Pauli operators satis- 
fying the commutation relations Vi, j [a.;, aj\ = hj\ = 0, 
Vi ^ j [ai,bj] = and {ai,bi} = 0. Each c G C„ 
can be explicitly constructed: first choose ai =/= I, then 
choose a2 to commute with ai, and 02 ^ {/, ai}, then 
choose 03 to commute with oi, 02 and 03 ^ {/, oi, 02, 0.102}, 
and so on until a„ is chosen. Each bi can be chosen 
to anticommute with Ui and commute with all other aj 
and If (ai, • • • , a„, &i, • • • , 6„) is a valid set 

of images corresponding to a Clifford group element c, 



((-1)^^01, •••,(-l)^"a„,(~l)^"+i6i, 
other valid set corresponding to 



c(a:v:"+^ 



, (-1)^^"6„) is an- 
"), (71) 



where each = 0, 1. 

We define the "Clifford twirl" on » ^2" to be the 
operation 

Tc„ [p] = 1^ 51 ^ • (72) 

We now prove that 7c„ — ^(2")- We need to show that 
these two quantum operations transform any state to the 
same output. It suffices to show that (1) 7c„ = , (2) 
Tc^[I] = I, (3) TcjHn] = Hn, and (4) transforms 
any state to a linear combination of / and Hn- Conditions 
(l)-(4) ensure that 7c„ transforms any state to a Werner 
state with the correct overlap with Hn, i.e., Tr (_ff„p) ~ 
Tr{HnTcJp]) (cf. Eq. (|6|)). Conditions (1) and (2) are 
obvious. Condition (3) can be proved by writing 



Hn = ((i®r)[|<i>+)(<i>+|]) 



1 



-{1 1^ I + <7x <^ <Tx + cTy 1^ ay + az 1^ az) 



0n 



1 1 

24" 



E 

PeVn 



P(K) P. 



(73) 



Since conjugation by each c G C„ only permutes the terms 
in this sum over Vn, Hn is invariant under 7c„. This es- 
tablishes (3). 

To show condition (4), we consider the action of 7c„ 
on a basis for the density matrices. We choose the basis 
Pi®P2 G Vn®Vn- We already know that [J(g)/] = I® I. 
Without loss of generality. Pi 7^ /. First consider Pi 7^ -P2 ■ 
There exists a c such that cPic) = a'^x^ and cP2C^ ~ 9 ~ 



ai: or az or / depending on whether [Pi,P2] = or 
{P^, P2} = or P2 = /. Then 

Tc„[Pl®P2] 



J2 (cPlC^) ® (cP2ct) 



\Cn\ 



^ (cai'^c^) ® (cgct) . (74) 



For every c, there is another c' (see Eq. (71)) such that 



c'cri^''c'^ = — ctri^^c^ and c/gc/^ — cgc\ hence the sum van- 



ishes. Now consider P = Pi ® Pi. 

rc„ [Pi ®Pi] = -^ Y. (^^i'^^^) ® (^^i'^^^) 

' cec. 



(75) 



Following the discussion on specifying Clifford group ele- 
ments, ccri^^c^ ranges over all elements in Vn ^ {!}■ More- 
over, each ca'^^ c'^ occurs in the sum the same number of 
times independent of c; this is the number of valid combi- 
nations 02, • ■ ■ , o„, 61, • • • , 6„ that complete the image set, 
which is independent of c. Thus we obtain 

rc„ 1 



P®P 



\'Pn\ - 1 



E 



(76) 



Qe-p„-{/} 
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Comparing this with Eq. 
combination of / and Hn 



we see that this is a hnear 
This proves condition (4), and 



thus rc„ = rc/(2.). Therefore Tc^ [|0)(0|] 



(«) 
Po ■ 



A. 2 Selecting and implementing a random element in the 
Clifford group 

To implement the Clifford twirl efficiently, we need to se- 
lect and implement random elements in the Clifford group. 
Our method is based on the circuit construction of any Clif- 
ford group element in Ref. ||] by Gottesman. The essence 
of his construction is as follows. We choose the following 
generating set for the Clifford group C„: 



G = {H,,CNOTjfe,P™,pJj , 



(77) 



where H, CNOT, and P respectively stand for the 1-qubit 
Hadamard transform , the 2-qubit controUed-NOT, 

and the 1-qubit phase gate (g^). Subscripts in Eq. (^ 
denote the qubit(s) being acted on. 

Note that the generating set is self-inverse and that it 
has -n? + 2n elements. From Ref. a circuit with no 
more than 3n^ + ln + 0(1) gates from G can be explicitly 
constructed for each element in Cu- 
lt remains to find a method to select any random ele- 
ment in Cn with uniform probability. This cannot be done 
simply by randomizing the building blocks of the Gottes- 
man construction. Hence we use a random walk over C„ 
to generate a random element, which can then be imple- 
mented by the Gottesman construction. Even though |C„ | 
is of order 2'^^" \ it can be proved that our random walk 
converges in O(n^) steps to the uniform distribution over 
the Clifford group elements. 

The algorithm can be summarized as follows: 

1. Classical random walk. Determine a random element 
using a random walk algorithm: at every time step, with 
probability 1/2, do nothing, and with probability 1/2 
choose a random element in G. Proceed for 0{n^) steps. 
Let the resulting element be U . Classically compute the 
images Ua'i^U^ and C/ai'V^, which can be done efficiently 
following the Knill-Gottcsman theorem 

2. Quantum circuit. Using the 2n images, build a quantum 
circuit to implement U using the Gottesman construction 
with in? + 7n + 0(1) generators. 

Remarks: We separate the algorithm into classical and 
quantum parts because there are O(n^) classical steps but 
only 0{n^) quantum gates. The 'do nothing' step with 
probability 1 /2 is based on a technicality in the proof and 
may be skipped in an implementation, so that a random 
generator is picked at every round. 

We prove that the Markov random walk 'mixes' in O(n^) 
steps. The proof |2^ rehcs on the facts that (1) any ele- 
ment of the Clifford group can be reached from any other 
by applying O(n^) generators, i.e. the diameter d of the 
(Cayley) graph of the group is 0{n^), and (2) the random 
walk uses a symmetric (self-invertible) set of generators 



over a group. We use Corollary 1 in Ref. [g4| to bound the 
second largest eigenvalue A2 of this Markov chain as 



A2 < 1 - v/d"^ 



(78) 



where d is the diameter and 77 is the probability of the least 
likely generator, which is r/ = n'^^r>n '^^^ case. Therefore 
A2 < 1 - 0(l/n6). Then, using Lemma 2 in Ref. [|||, after 
k steps of iteration the distance of the obtained distribution 
p{k) from the uniform distribution u{c) = |^ is bounded 

as ||p(*') - < \/lC|(l - 0{l/n^))''. Here, we use the 
Li norm between two distributions p{c) and g(c), i.e. \\p — 
q\\i = X^cgC b('^)~9(c)l- If we set k = 0{n^), this distance 
can be bounded by a small constant. 

B. Preparing p^"^ 

The state p^"^ can be created using one singlet state. 

(n) 

This is obvious when n = 1. For n > 2, pi can be cre- 
ated using the recurrence relation Eq. (25) by the following 
recursive process: 

• Flip a coin with bias pn for 0, and bias 1 — p„ for 1. 



If the outcome is 0, prepare pg" ( 



. , (ra-l) ^ (1) 

IS 1, prepare pl (8" Pg . 



'>Pi 



(1) 



If the outcome 



When 



prepared recursively. Otherwise, p^" ^' is just the singlet. 
Note that the procedure relies on the preparation of all 

(n) 

possible pg without entanglement. Note also that the 
singlet p^^^ is used exactly once in the procedure. 

VII. Data hiding in separable states 

We have considered hiding states with very little entan- 
glement. In this section, we consider completely separable 
hiding states. Such "separable hiding schemes" are inter- 
esting for several reasons. First, given a separable scheme 
to hide one bit, multiple bits can be hidden bitwise; if the 
probability distributions of these bits are independent, then 
the attain able in formation is additive (as will be proved 
in Section VII- A ) . Second, the hiding states can be pre- 
pared without entanglement. Third, from a more funda- 
mental perspective, such separable hiding schemes exhibit 
the intriguing phenomenon of quantum nonlocality with- 
out entanglement |^ to the fullest extent. We have good 
candidates for separable hiding states, but have not been 
able to prove their security rigorously. First we present a 
proof due to WoottersQ of the additivity of information in 
a bitwise application of separable hiding schemes. 

A. Additivity of information when states are separable 

Suppose the bit 6 = 0, 1 can be hidden in the separable 
states Pb=Q.i, with bounded attainable mutual information, 
I{B ■.Y)<S. We call this the "single-bit protocol" . We 
consider hiding two bits 61,62 in the tensor-product state 
Pbi (8)pb2- Consider I{BiB2 : ^12) where Y12 is the outcome 
of any measurement on p^^ ® Pb2 which is LOCC between 
Alice and Bob but can be jointly on pf,j and p^^. By the 

''Email correspondence from W. K. Wootters, January 1999. 



1 > 2, p^ 'is 
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chain rule of mutual information |25[| , wc have 
I{BiB2 : ri2) = I{Bi : ^2) + /(B2 : Yi2\Bi) . 



(79) 



We now show that, when bi and 62 are independent (hav- 
ing a product distribution p{bi)p{b2)), both I{Bi : Y12) 
and I{B2 : yi2|-Bi) can be reinterpreted as the informa- 
tion obtained about a bit hidden with the single-bit pro- 
tocol and are bounded by S. The term I{Bi : Y12) mea- 
sures how much about bi is learned from Y12, when 62 is 
unknown. This is also the information about bi learned 
from pb-^ by the following LOCC procedure: First, ap- 
pend an extra pb2, chosen according to the probability 
distribution ^(62). Then, without using their knowledge 
of 62, Ahce and Bob measure Y12 on pt^ <S) Pb^- Thus 
I{Bi : Y12) < S. It is crucial that pb2 is separable and 
can thus be prepared by LOCC. Similarly, I{B2 ■ ^12!^!) 
is the information about &2 learned from by append- 
ing a known extra pb^ (chosen with probability p{bi)) and 
measuring Y12. Hence I{B2 ■ ^121^1) < S. More gener- 
ally, I{BiB2 ■ ■ ■ Bk Y) < k6 for any Y, implying that the 
information is additive. 

Note that this additive information bound for separable 
hiding states is much stronger than that for entangled hid- 
ing states (Section 0). Note that there is an important 
difference between hiding with separable states and the 
problem of classical data transmission through a (noisy) 
quantum channel. For the latter it is known that the ca- 
pacity is nonadditive, in the sense that the receiver has to 
perform joint measurements on the data to retrieve the full 
Holevo information |2^. The difference is that to achieve 
the Holevo information one encodes the classical data, so 
that the prior distribution is not independent over the dif- 
ferent states. In our information bound for bit hiding, the 
different bits are assumed to have independent prior prob- 
abilities. 

B. An alternative hiding scheme 

In this section, we discuss some interesting properties of 
two orthogonal separable states in H2^'H2, and a candidate 
separable hiding scheme built from them. Consider the 
following two bipartite states in Ti.2 §5 7^2, introduced in 
Section VII of @: 

ro = ^[|+)(+|®|0)(Oh 



Tl 



®\+){+\ \ , 

)(-|®|-)(-| + |I)(I|®|l)(l|] , (80) 



where |±) = ^TJ^^^^ 1"'^^-'' "^^^^^ separable states are or- 
thogonal, but the results of Ref. ||] suggest that they are 
not perfectly distinguishable by LOCC. We now strengthen 
this result using the general framework for LOCC measure- 
ments described in Section 

Our goal as before is to bound po|o + Pi\i obtained by 
any measurement with PPT POVM elements. Following 
the discussion of Section ||, we restrict to PPT POVM el- 
ements Afo,i, and use the symmetry of rg^i to simplify the 
possible form of Mo,i. It will suffice to consider POVM el- 
ements T^[Mi], where T[/9] = i(p + SpS + H2pH2 + SH2pH2S) 



with H2 = H ® H being the bitwise Hadamard transforma- 
tion on both qubits, and S being the swap operation on 
the two qubits. It is immediate that T is self-adjoint, and 
that it fixes tq.i. Unlike in Section ||, T is not LOCC, but 
it does preserve the PPT property of M^, because SM^S 
is PPT (the swap just relabels the input bits). Moreover, 
VAf , T[T[M]\ = T[M]; therefore, we can restrict to POVM 
elements Af that are invariant under T. This symmetry is 
most easily imposed in the Pauli decompositions of Afo,i: 



Mo 
Ml 



aPa + cPc 
(f - a)Pa 



-ePe 

cPc 



-dPd, 
ePe - dPd , 



(81) 



where 



Pa = 

Pc - 

Pd = 

Pe = 



)/- 



/ + /( 



(82) 



are the only linearly independent invariants under T . Note 
that Afo,i are automatically invariant under partial trans- 
pose. Therefore, it only remains to impose conditions on 
a, c, d, e to make < Mq < /: 



< a - 2d < f , 
< a - 2e < f , 
< a±/3 < 1. 



(83) 
(84) 
(85) 



In Eqs. (||)-| 
of Mq , with a 



|), the bounded quantities are eigenvalues 
^a + d + e and /3 = y/Sc^ + (d- e)^. 
To find po|o and Pi\i, we express to.i in their Pauli de- 
compositions, using |0)(0| = ^(/ + (Tz), |1)(1| = 5(1 — CTz), 
and |±)(±| = i(/±a,): 



To 



-(2Pa- 
-{2Pa 



Pc + Pe), 
' Pc + Pd) . 



(86) 



Using Eqs. (gfj) and (pq), and the trace orthonormality of 
the Pauli matrices (up to a multiplicative constant), we 
find the conditional probabilities of interest: 



Po|o = Tr(AfoTo) = a + 2c + e , 

=Tr(Afiri) = (f - a) + 2c - d . 



(87) 



The values of (po|OiPi|i) permitted by the positivity con- 
straints Eqs. (|83|)-(|85|) are depicted in Fig. we leave the 
straightforward derivation of Fig. [s] to the interested reader. 
Here we only use Eq. (^) to derive a simple bound on 
|Po|o +Pi\i " l| (the straight portion of the boundary). We 
have: 



|P0|0 +Pl|l 



1 



:4c+ (e 



d) 

2 VSc 
3W 



1 (e-d) 
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Since (3 = v'Sc^ + {d-e] 
is of the form | cos 6 cos (p 
Moreover, from Eq. (^sh. 



2, the last factor in the last line 
+ sin 6* sin 01 = | cos(6' - (f>)\ < I. 



The upper bound on pg"p 



(ri) 
-Pl|l 



1 imphes + p 



^1|1 



< 



Hence, 



|po|o +Pi|i - l| < 



^/3 



(89) 



This upper bound for protocols with the P-H property is 
tight, in the sense that there exists a simple LOCC proce- 
dure that achieves this bound. This procedure is described 
in Appendix 0. 

Equation ( p9[ ) establishes that tq i cannot be perfectly 
distinguished by measurements with PPT POVM elements, 
since the perfect measurement would give po|o +Pi|i = 2. 
We can also put a lower bound on the amount of entan- 
glement required to distinguish tq from ri perfectly. The 
combined support of tq and ti has full rank and tq and ti 
are orthogonal; therefore, the perfect POVM measurement 
has unique Mq^i- The measurement, if used as in Fig. |^(b), 
can create the states Mo/Tr(Mo) and Mi/Tr(Mi). These 
both have « 0.55 ebits of entanglement of formation, as 
calculated using Ref. Therefore, tq^i take at least 0.55 
ebits to distinguish perfectly. 

We conjecture that the parity of the number of ri in a 
tensor product of n tqS and ns cannot be decoded better 
than by measuring each tensor component and combining 
the results. More precisely, we consider distinguishing the 
states 

^ n, (E) (E) ■ ■ ■ <E) ■ (90) 



.in) 



2"" 



Bb„=b 



Here © is addition modulo two. We follow the general 
method to find the allowed values of (Po"o i -Pi"i ) ; ^'^'^ "^O"^" 
sider PPT Mo,i > with the proper symmetries. Since the 
eigenvalues of Mo for n> 2 are not analytically obtainable, 
we have performed a numerical maximization of p^^^ with 

fixed for n — 2 and n — 3. All numerical results pre- 
sented have negligible numerical errors. The allowed region 
for (Po^QjPi^j) is given in Fig. ||. The best value of Pp^Q-l-p^^] 
is precisely the one achieved by applying the LOCC mea- 
surement in Appendix ^ on each tensor component, and 
classically combining the results to infer the parity. The 
same has been confirmed for n = 3: p^^^ +-Pi|i — 1-64952. 
While we have no convincing arguments for the conjecture 
for general n, the n = 2, 3 cases are unlikely to be degen- 
eracies or coincidences. 

Suppose the conjecture is true. Let 5(Po|g +Pi|i) ^ P 

where P = ^ + ^ denotes the best decoding probability 

(n) 

for n — 1. Then, is distinguished correctly only if an 
even number of components are decoded incorrectly, thus 



(«) , («) 
Pq\o +P 



s < 2 y: p'-HI-pY 

k even 

= {p+{\-p)r + {p-{\-p)r 

= l + (2p-l)" 



l| < ("^)"- If conjecture is true, this bound vanishes 

(n) 

exponentially with the number of qubits used, and 
can be used to hide a single bit in a way similar to the Bell 
mixtures p^^K Comparing Eqs. (|9ll ) and the separable 

4.8 times as many qubits as in 



scheme takes - — --^ — ;= 

l-log2 V3 

the Bell-state protocol to achieve the same level of security. 

viii. conditionally secure quantum bit 
Commitment 

Bit commitment is a cryptographic protocol with 
two parties, Alice and Bob. It has two stages, the com- 
mit and the open phases. The goal is to enable Alice to 
commit to a bit that can neither be learned by Bob before 
the open phase nor be changed by Alice after the com- 
mit phase. Bit commitment is a primitive for many other 
protocols, such as coin tossing, cf. Ref. However, 
the security of classical bit commitment schemes relies on 
unproved assumptions on computational complexity, while 
unconditionally secure quantum bit commitment has been 



(91) 



proved to be impossible |29|, pO| |. 

In this section, we use the main idea of the bit hiding 
scheme in Section [H to construct a conditionally secure 
bit commitment scheme in the following setting. The com- 
mitment is shared between two recipients (Bob-1 and Bob- 
2) who do not share entanglement and can perform only 
LOCC. Thus the present discussion contrasts with previous 
works in that (1) it is not precisely a two-party protocol 
and (2) the security is conditioned on restricting the two 
Bobs to LOCC operations only. 

Let n, r be security parameters. The scheme is secure in 
the sense that the dishonest Bobs learn at most 2~("~^^ 
bits on the committed bit before the open phase, and a 
dishonest Alice can change her commitment without being 
caught with probability 2~^ . The scheme is as follows: 

• Commit phase: To commit to 6 = (6 = 1), Alice picks a 
random \w-k} with^an even (odd) number of singlets Iwn). 
Alice sends one qubit of each Bell pair to each Bob. 

• Open phase: Alice sends n + r singlets to Bob-1 and Bob- 
2, who apply a random hashing test , |3l] and use r of the 
singlets to check if the received states are indeed singlets. 
Alice is declared cheating if the test fails. Otherwise, the 
remaining n singlets are used to teleport Bob-l's qubits to 
Bob-2 who measures k to find b. 

Proof: [Security] If Alice is honest, the security of the 
bit hiding scheme implies that the dishonest Bobs can learn 
at most 0{2~") bits of information before the open phase. 
If Bob is honest, the most general strategy for a dishonest 
Alice is to prepare a pure state {ip) with five parts. Pi for 
i = 1,- • - ,5. In the commit phase, she gives Pi and P2 
to Bob-1 and Bob-2. In the open phase, she applies some 
quantum operation £ on P^^P^jP^. Then, she sends P3 
and P4 to Bob-1 and Bob-2. If PsjPa are indeed n + r 
singlets, the test is passed and £ does not change the state 

^Recall that | Wk) denotes a tensor product of n Bell states specified 
by the 2n-bit string k according to the scheme in Eq. (0). 
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of Pi and P2 , and Bob-2 indeed obtains Pi , P2 in the same 
state as in the eommit phase after teleportation. (Pi , P2 
can only be changed during the teleportation steps when 
interacting with P3 , P4 if they are not singlets.) In this case, 
the distribution of k and therefore the committed bit b in 
both phases are the same - Alice cannot change or delay 
her commitment. In case P3 and P4 are not singlet states 
the analysis of the failure probability of the random hashing 
method follows the quantum key distribution security proof 
by Lo and Chau ||3l[]. If P3, P4 are in some state orthogonal 
to n+r singlets, the test is passed with probability 2~'^ only. 
In general, let a be the fidelity of P3 , P4 with respect to 
n + r singlets. The probability to change the commitment 
without being caught is < 2^'"(1 — a) which is less than 

■ 

Note that our scheme does not force Alice to commit. For 
example, she can send an equal superposition of the 6 = 0, 1 
states, but she cannot control the outcome at the opening 
phase. However, this is inherent to schemes which conceal 
the commitment from Bob. Classically, it is as if Alice sent 
an empty locked box with no bit written inside, or a device 
in which Bob's opening the box triggered a fair coin toss 
to determine the bit. 

We note that the above scheme has many equivalent vari- 
ations. For example, Alice may instead prepare a super- 



position X]kG-E„/o„ I'*-) and send the second part 

to the Bobs, which provides a way of sending the density 
matrices . Bob can request Alice to announce k in the 
open phase, and declare her cheating if he finds a different 
k. However, these schemes are exactly equivalent to the 
proposed one. 

IX. Discussion 

The quantum data hiding protocol using Bell mixtures 
can be demonstrated with existing quantum optics tech- 
niques. The hider can prepare any one of the four polariza- 



gies than presently exist but is interesting to consider. As 
we showed in Section VI, quantum operations in the Clif- 
ford group are required. The one-qubit gates are obtainable 
by linear optics, but the CNOT gate cannot be implemented 
perfectly by using linear optical elements. However, recent 
work by Knill et al. shows that a CNOT gate can be 
implemented near-deterministically in linear optics when 
single-photon sources are available. So, this preparation 
scheme may be practicable in the near future as well. 

We have proved for the Bell mixtures Pq^I that the secret 
is hidden against LOCC measurements; but the secret can 
be perfectly unlocked by LOCC operations if Alice and Bob 
initially share n ebits of entanglement (the LOCC proce- 
dure is just quantum teleportation followed by a Bell mea- 
surement by Bob). What is the smallest amount of entan- 
glement Emin required for perfect unlocking? This quan- 
tity would give another interesting measure of the strength 
of hiding. We do not know Emm exactly, although we can 
give a lower bound for it. The bound is obtained by con- 
sidering the procedure of Fig. |l|(b) as a state-preparation 
protocol. Here we take the measurement M to be the non- 
local one that exactly distinguishes the hiding states. This 

(n) 

M is unique because { have full combined support and 
are orthogonal. Considering M to be an LOCC measure- 
ment performed with the assistance of E,-ain ebits of prior 
entanglement, the average output entanglement of forma- 
tion of Fig. 0(b) provides a lower bound for E,nin, since 
the LOCC procedure cannot increase the average entan- 
glement. 

This entanglement of formation is straightforward to 
compute: When the input is two halves of two maximally 
entangled states as shown, the input density matrix, which 
is proportional to the identity, can be expressed as: 



I _ \En\ (n) I On 



(n) 
Pi 



(92) 



tion Bell states, ^(| | , J) ± | ^ , ^)), ^(| | , ^) ± || , 4-> The output state is therefore p}yl with probabilities ^ 



) ) . Any of these can be prepared using downconversion | 
followed by an appropriate single photon operation. The 
photons can be sent through two different beam paths to 
Alice and Bob. Then Alice and Bob might atte mpt to un- 
lock the secret by LOCC operations as in Section III-C ; this 
requires high efficiency single-photon detection]^ Alterna- 
tively, the secret can be completely unlocked if a quantum 
channel is opened up for Alice to send her photons to Bob, 
who performs an incomplete measurement on each pair to 
distinguish the singlet "^(1 t : ^) ~ I t j ^)) from the other 
three Bell states. Such an incomplete measurement has 
been performed in the lab Js^ ; a full Bell measurement is 
not necessary and is in fact not technologically feasible in 
current experiments. 

Our alternative low- entanglement preparation scheme 
would require more sophisticated quantum-optics technolo- 

^ The quantum efficiency of detectors strongly depends on the wave- 
length. At 543 nm, quantum efficiencies as high as 95% have been 
observed (E. Waks et al., unpublished). At 694 nm, quantum effi- 
ciencies as high as fs; 88% were reported, see Ref. |33l. 



Since the entanglement of formation of p^"^ is 1 ebit, 
the average output entanglement of formation is -^^^ = 
i(l-2-") ebits. Thus, E^in > ^(1-2""). This is still far 
from the upper bound of n ebits; considering more general 
input states in Fig. |l|(b) could improve our lower bound. 

Our technique of putting bounds on the capabilities of 
LOCC operations using the Peres-Horodecki criterion is an 
application of the work of Rains , . He introduced a 
class of quantum operations that contains the LOCC class, 
which he called the p.p.t. superoperators ||3^; S is in 
the p.p.t. class iff (1 (g) T) o 5 o (1 (g) T) is a completely 
positive map. It has been proved^ that the p.p.t. class is 
identical to the class of quantum operations that have the 
Peres-Horodecki property, which we introduce in Section^ 
This p.p.t. class also extends in a very precise way to 
the POVMs, in the following sense: the condition that 
all Mi be PPT is both a necessary and sufficient con- 
dition for a POVM to have the P-H property (which is 

'^E. M. Rains, private communication, February 2001. 
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equivalent to saying that the POVM, viewed as a quan- 
tum operation from Tid ® Ti-d to a one-dimensional space 
Ti-i (81 Hi, is p.p.t.). The necessary part is proved in Sec- 
tion H; sufficiency can be derived by considering an arbi- 
trary input p to the POVM M including ancillas (as in 
Fig. 0(b), but with general input). The output density 
matrix for outcome i is proportional to pi oc Trp(Af,;p), 
where the partial trace is over the input Hilbert space to 
M. The partial transpose of this operator can be written 
(1 (g) T)[p,] oc Trp[(l (g) T)[M,]{1 (g) T)[p\]: the proof follows 
straightforwardly from this formula. 

It should be noted that the symmetrizing operation 
introduced in Section ^ is not restricted to the p.p.t. class. 
For example, in Section VII- B is not in the p.p.t. class. 
T''' only needs to be unital and has the property that [M] 
is PPT if M is PPT. The latter resembles, but is very differ- 
ent from the P-H property, which also requires {1(E)T^)[M] 
to be PPT if M is PPT. The difference is reminiscent of the 
distinction between positive and completely positive maps. 

We believe that our quantum data hiding scheme using 
Bell states can be extended to multiple parties. Consider 
for example the extension to three parties Alice, Bob and 
Charlie, who are restricted to carrying out LOCC opera- 
tions amongst each other. Candidates for the hiding states 
are the 3-party extensions of the Werner states, studied by 
Eggeling and Werner js^ . 
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Appendices 

A. Bounding the obtainable mutual information 

Let X be a binary random variable. Define Zs to be the 
set of all binary random variables that satisfy the following 
bound on the conditional probabilities: 

-S <p{Z = 0\X = 0)+p{Z = 1\X = l)-l<6, (93) 



as in Eq. (|20|). Define Yg as the set of all random variables, 
with any number of outcomes, for which all "decoding pro- 
cesses" V produce binary random variables in the set Zs. 



This situation is summarized as 

X^Y^Z. 



(94) 



Note that p{Z\Y) prescribed by V may depend on p{Y\X). 
In this setting, we have the following bound: 

Theorem 2: VF G K,, I{X : Y) < 5H{X). 

Proof: We first derive bounds on the conditional 
probability distribution of any Y £Ys given X. We con- 
sider p{Z^k\X = l) = j:,PviZ^k\Y=j)p{Y^j\X = l) 
implied by any Y and V. When we maximize I{X : Y) over 
Y with fixed V, we obtain an overestimate of I{X : Y) be- 
cause we can maximize Y over a superset of Ys . Hence we 
can focus on a particular decoding process V defined as: 



PviZ = 0\Y = j) = l if je/oU/. 

Pv{z = i\Y=j) = i if jei+, 

where 

J e 1+ ^p{Y = j\X = l) > p{Y=j\X = 
J e Io^p{Y = j\X = l)=p{Y=j\X = 
3 e /_ ^p{Y^j\X^l) < p(Y^j\X. 

Given these we can compute 

p{Z = 0\X = 0) +p{Z=l\X = l) 

ie/oU/_ je/+ 

= ^max(p(r = j|X = 0),p(>"=j|X = l)) 
j 

= l+Y,PiY^j\X = l)-piY = j\X^O). 



(95) 



0), 
0), 
0). 



(96) 



(97) 



Substituting Eq. (97) into Eq. (B3), the first inequality be- 



comes trivial and the second inequality gives a necessary 
condition on the set Y,: 



vy e Ys, 



J2 p{Y = j\X = l)-p{Y=j\X = 0) <5. 



(98) 



We now use Eq. ( Pq ) to bound I{X : Y). We introduce 
the notations pjo = p{Y = j\X = 0) and pji = p{Y = j\X = 
1) for the conditional probabilities, and p{X^O) = xq and 
p{X = l) = xi = 1 — Xq for the fixed prior probabilities for 
X. We can then write the mutual information as 



Hx ■.Y) = j:^^j^^j_f{p,o,Pji) 



where 



f{PjO,Pji) = ELo ^"Pj" log ^ 



Pjo 



(99) 
(100) 

represents the information on X obtained from the out- 
come Y^j, weighted hy p{Y=j). Note also the outcomes 
in Iq do not contribute to the mutual information. We will 
maximize Eq. (|100[) subject to the constraints 



(101) 
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and 



E 



Pjl - PjQ < S . 



(102) 



The maximization of I{X : y) is made tractable by not- 
ing that any optimal Y can be replaced by another Y" 
with \ I1\, < 1, and satisfying the same constraints 



Eqs. ( |lOl[ ) and ( |102| ). We prove this using the fact that 
fiPo,Pi)^f{p) is linear (/(cp) = cf{p)) and convex, giv- 
ing 



f{cop + ciq) 



< 



cofip) - 
f{coP) 



cifiq) 

' f{ciq)- 



(103) 



where the sum is over all 16" possible 4n-bit strings k, and 
CTk is identified with a tensor product of 2n Pauli matrices 
as defined in Section We restrict our choice of LOCC 
measurements to those that measure the eigenvalues of a 
particular optimal as, which can be -1-1 or —1. This mea- 
surement is in the LOCC class because it is the product of 
the eigenvalues of all the Pauli matrix components, which 
can be measured locally and communicated classically to 
obtain the final result. If we associate the outcomes -1-1 
and —1 with po and pi respectively, the POVM elements 
are Msq = ^(/ + (Tg) and Mgi = ^{I — as). Using the fact 



(106) 



Absorbing the nonnegative factors co,i into the probability 
vectors, this becomes simply 



we can calculate the conditional probabilities of interest: 



f{p + q) < f{p) + f{q) . 



(104) 



The convexity of / is proved by showing that the Hes- 
sian matrix f /dpadpp is positive semidefinite (it is 
straightforward to show that its eigenvalues are and 

XQXi{pl+pl)/{poPiJ2aXaPa))- 

Given any Y, we first construct an intermediate Y' as 
follows: For each outcome j € Y with unequal conditional 
probabilities {pjo,pji), introduce two outcomes in Y' with 
conditional probabilities: 

{0,Pji -Pjo) and {pjQ,Pjo) if j E 1+ 
{Pjo - Pji,0) and {p.ji,pji) if j E I- . 



All outcomes in Iq occur in Y' unchanged, 
the number of outcomes are such that |/^| 



Note that 
= |/±| and 



|/+| + |/_| + \Io\. The constraints Eqs. (101) and 



(102) are satisfied by Y' because the quantities involved 
are conserved by construction. I{X : Y') > I{X : Y) 
by applying Eq. (104) to each replacement. Finally, as 
all I'j^ outcomes have pjo = 0, and all I'_ outcomes have 
Pjl — 0, we introduce the desired random variable Y" 
with just three outcomes, with conditional probabilities 
(0,Eje/;?'ji)' (Ejer PjO,0), and (Eje/^ PjO, E^e/^ Pjo)- 
Y" still satisfies Eqs. (101) and ( |102| ), and the linearity of 
/ impHes I{X : Y") = I{X : F'). 

So, we have established that there exists an optimal 
Y with conditional probabilities (pio,0), (0,p2i), and 
(p30,P3o); these may be interpreted as the "certainly 0", 
"certainly 1" , and "don't know" outcomes. It is now triv- 
ial to show that the best choice of these parameters con- 
sistent with the constraints is given by pio — P21 — S, 
Pso = 1 — (5. These parameters lead to the mutual informa- 
tion I{X : Y) = 5H{X), proving the theorem. ■ 

B. Proof of Theorem [i| 

Proof: We write the density matrices po,i of the hid- 
ing states in the Pauli decomposition 



k 



(105) 



p{+l\ s, pt) = TviMsoPb) = 2 (1 + "-bs) , 
p{~l\ s, pb) = Tr(A4i/9b) ^ i(l - abs) . 
In this notation, j)o|o +^111 — 1 is given by 



p{+l\ s,po) +p{-l\ s,pi) - 1 = -(aos - ais 



(107) 



(108) 



If the right-hand side of Eq. (108) is negative, then we can 
always do better by inverting the assignment of outcomes, 
flipping the sign of this factor. So, we can always achieve 

p{+l\ s,po)+p(-l| s,pi)-l = i|ao. -ais|. (109) 

Our goal is to establish a lower bound on this quantity due 
to the orthogonality of po and pi . Thus we consider 

min max(po|o +Pi|i - 1) 

Po,i:po-Lpi s 



mm max-|aos - aisl 

Po,i:Po-Lpi s Z 



(110) 



Let po,i be fixed, and s*, which depends on po,i: be the 
corresponding s which maximizes ^|aos — ais|- Let 

go = max(aos.,ais.) , gi = min(aos- , aig. ) . (Ill) 



We can rephrase the optimization in Eq. (110) as a mini- 
mization over abs for s 7^ (abo = 1 is fixed by the nor- 
malization of po,i)j subject to the following constraints: 
1. Optimahty of s*: 



Qq- qi = Ks|aos - aisl where Kg > 1 



(112) 



2. Orthogonality of po and pi, implying that Es^o '^osO-is = 
— 1, or 

aosflis + qo<7i = -1 • (113) 

Note that we do not impose the positivity of po.i, and 
obtain a valid, though possibly loose bound. The above 
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constraints are imposed by introducing the Lagrange mul- 
tipliers A and As for s ^ 0, s* , transforming the problem to 
the unconstrained minimization: 



mm go - gi 



^ As [(go - gi) 



Ks|aos 



aisl] 



-A 



90 gi 



(114) 



We can fix go and minimize over gi and for s ^ 0, s*. If 
aos 7^ flis whenever s ^ (the other case will be discussed 
later) this function is analytic and we obtain the minimum 
by setting the derivatives of Eq. (114) with respect to the 
independent variables gi, aos, and ois to zero; 



1 + Ago - Es#o,s- As = , 
TsKsAs + Aais = 
-rsKsAs + Aaos = 



(115) 

Vs7^0,s*, (116) 
Vs7^0,s*. (117) 



Here rg = +1 if ao s > a is an d Ts — —1 if oos < ois- We 
need to solve Eqs. ([TT^ ), ( |TT3| ), (|ll5|) , and (|ll|) for go-gi- 
First of a ll, we eliminate the a^s by substituting Eqs. ( 116 ) 
and (117) into the constraints Eqs. (112) and (|ll 



A(go - gi) = 2KsAs , 

Es^o.s* + A^gogi = -A^ , 



(118) 
(119) 



We can obtain two other equations from Eq. ( |llq ): 
A(go-gi) ^ As = 2 ^ kIxI , 

A(go-gi) E i = 2 E ^- 



(120) 



We now have Eqs. (115), (119), and (120) in four variables 
Es#o,s- '^sAs, Es^o.s- As, A, and go - gi- We can per- 
form standard eliminations and obtain an expression for 
the minimum of qo — Qi'- 



qo - gi 



,V{i + C)qi + c 



qo 



c 



(121) 



where C = Es^o,s- 1/^ 



To reexpress Eq. (121) in the notation of the theorem 



statement, we use go — 2po|o ^ 1 ^-nd gi — 2pi|i — 1, which 



follow from Eqs. ( |107| ) and ( |lllD . We have 

^(l + C)(2po|o-l)' + C - (2po|o - 1) 



P0|0 +Pl|l 



1 > 



C 



(122) 

This can be simplified by changing variables y — po|o +Pi|i 
and X = po|o ~ Pi|i solving for y. We obtain 



Po|o +Pl|l 



1 > 



+ (poio "Piii)^ 

VcTT 



(123) 



To achieve the desired lowest minimum in Eq. ( |110| ), we 
will replace C by its upper bound. Since > I, 



C < 16" - 2 . 



(124) 



and we obtain the statement Eq. (37) to be proven. 

The analysis for the cases when oqs = ois for some s 
is similar to the one just presented. We obtain values of 
go ^ gi which are always greater than in Eqs. (121) and 



(124), so these cases can be excluded. ■ 
We remark that the weaker result, Eq. (|3^), can be 
proved without the Lagrange multiplier analysis. When 
we maximize over all possible s, th e best achievable po|o + 
— 1 is at least, using Eq. (110): 



1, 

max-|aos 

s Z 



a-is 



> 



1, 

max -|aos-ais 

s:aosaia<0 / 



> max VlaoToisI 

s:oosaia<0 



mm aos ais 

s:aosais<0 



> 



1 



(125) 



In the above proof, we use the orthogonality condition 
Ss^o'^Osflis = —1, so that {s : aos ais < 0} is non-empty 
and mius^^o flos ois < le^^-i ■ Equation (125) is indepen- 
dent of po,i, thus no further minimization over po and pi 
is needed. 

C. An OPTIMAL LOCC PROTOCOL TO DISTINGUISH To 

AND Ti 

In this appendix, we describe and discuss an LOCC pro- 
tocol to distinguish tq from ti that achieves the bound in 
Eq. (|8^). We employ the Block representation of a qubit. 
We identify the qubit state cos6' |0) +smd |1) with the den- 
sity matrix ^[I+sm{29) ax+cos{2d) az]- The coefficients of 
ax and cr^ can be conveniently plotted as a 2-dimensional 
vector. In this representation, orthogonal vectors are anti- 
parallel. The protocol is as follows: 

1. Alice first projects her qubit onto one of the two states 
r]± — ^[I ± -^{—Ox -I- CTz)], and sends the result to Bob. 

2. Let cosa = ^(1 + ^) and sina = ^(1 - ^). 

If Alice obtains 77+ , Bob projects his qubit onto the states 
?7+± = I [/ ± (cos OLOx^ sin a )] . 

If Alice obtains 77-, Bob projects his qubit onto the states 
77_± = -^[/i (smaox + cosadz)]. 

It is straightforward to verify that this protocol achieves 
the bound given by Eq. (p9[). 

The intuition behind this protocol is as follows. It actu- 
ally distinguishes among the four states |0-|-), |-t-0), |11), 
I ) with high probability. The first measurement ex- 
tracts 77,0 information on whether the state is To or t\. 

Rather, it distinguishes {|0-h), | )} from {|-hO), |11)} 

with high probability. Then, Bob adaptively measure ap- 
proximately along the {|+), |— )} or the {|0),|1)} bases. 
Bob's optimal measurement bases, the states ??±±, are 
slightly tilted from |-|-), |— ), |0), |1) to account for the im- 
perfection of the inference from Alice's outcome. A detailed 
pictorial explanation is given in Fig. |^. 

The POVM elements of this measurement are given by 
Afo = 7?+ 181 ?7++ + 77- (g) 77_+ and Mi = 77+ 7/+_ + 7/_ (g) 77 
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They ar e not symmetric under the operation discussed in 
Section |VII-B| , T[p] = i(p + SpS + H2PH2 + SH2PH2S). For 
this particular case, the POVM defined by T[Mo], T[Mi] 
is also LOCC - Alice and Bob flip two fair coins, which 
determine if they are either to carry out the original proto- 
col, or to exchange their roles, or to carry out the protocol 
in the conjugate basis, or to do both. Note that T is not 
an LOCC operation, yet it always transforms one LOCC 
POVM to another. This example also illustrates that such 
symmetrizing operations on the POVM elements, though 
they originate from symmetries of the states, do not corre- 
spond to actual operations on the state. We do not know 
if the class of LOCC POVMs is preserved under all com- 
pletely positive operations T such that T'^ [p] is PPT if p is 
PPT; in fact, we do not even know if this class is preserved 
under LOCC operations. 

Concerning the general question of whether PPT pre- 
serving POVMs are achievable by LOCC, very little is 
presently known. However, we have been able to prove 
that, in 7^2 ® H2, PPT preserving POVM measurements 
with two orthogonal POVM elements are always in the 
LOCC class. Applying this result to the to,i measurement, 
we obtain values of (Po|o,P^^) that we know to be achiev- 
able by LOCC, plotted in Fig. |. 
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(a) 



Alice 






M 


Bob 





Output "z = or 1" 
with prob. Tr(Mjp) 



(b) 

Alice 

l^max) 

Bob 



M =i 



State Mf /Tr(Afi) 
with prob. TT{Mi)/£ 



Fig. 1 

(a) a bipartite POVM measurement with two outcomes, (b) 
Applying the bipartite POVM measurement to two halves of 

TWO MAXIMALLY ENTANGLED STATES I'I'max) RESULTS IN A RESIDUAL 
STATE WHICH IS PROPORTIONAL TO THE TRANSPOSE OF THE POVM 
ELEMENT CORRESPONDING TO THE MEASUREMENT OUTCOME. 




Fig. 3 

For any pair of orthogonal states po,i on 'H2" (E)'H2"- there 

EXISTS AN LOCC POVM WITH PROBABILITIES Po|o, Pi|i ABOVE THE 
CURVES SHOWN FOR n = 1 AND n = 2. THE DASHED LINES ARE THE 
SIMPLER, WEAKER BOUND OF EQ. (Bq). 



Pl\l 




Polo 



Fig. 2 

Equation ( [i9| ) restricts (po|OiPi|i) to the above shaded 



region. The points B, C, and D are respectively {■ 



1+2- 



1), 



1+2- 



-,0), AND ( 



1 2" +2 1 _2 

2 2" + l ' 2 2" 



— ). The POINT D is achievable by 



A LOCC MEASUREMENT DESCRIBED IN SECTION [II-C . THE 



EXPRESSION Po|0 IS MAXIMIZED AT B. 



35 



25 



15 




10 
k 



Fig. 4 

Contours of constant upper bound on log/(B : Y), Eq. (^l]), 

WHILE VARYING n (tHE VERTICAL AXIS) AND k (tHE HORIZONTAL 

axis). The bound on log/(B : Y) is calculated using the 

EXPRESSION for A IN EQ. ( ^g] ) WITH Lp IN EQ. 
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Fig. 5 

(PolO'Plll) ATTAINABLE BY PPT-PRESERVING MEASUREMENTS ON 

T0,1- 
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Fig. 7 

a protocol to distinguish |0+), |+0), | ), labeled by (t), 

@, (3), @. The classically correlated initial states of Alice 

AND Bob are plotted in the two left diagrams. We will 
illustrate the case of equal prior probabilities, indicated by 
the equal lengths of the four state vectors. Alice projects 

HER QUBIT onto r)± , WHICH DISTINGUISHES [0+), [ ) (0 AND (3)) 

FROM 1+0), ((2) AND @) WITH HIGH PROBABILITY. THE TWO 

RIGHT DIAGRAMS REPRESENT THE QUBIT STATE OF BOB CONDITIONED 
ON THE TWO MEASUREMENT OUTCOMES OF ALICE. THE CONDITIONAL 
PROBABILITIES OF THE STATES ARE REPRESENTED BY THEIR LENGTHS. 

The optimal measurements of Bob to distinguish to from n 

ARE given BY THE PRO.IECTIONS ALONG »?±±. In FACT, CONDITIONED 
ON ?7+, »;+_|_ IS THE PROJECTOR ALONG THE DIRECTION OF VECTOR 
SUM OF AND (2), AND SIMILARLY J7_|__|_ IS THE PROJECTOR ALONG 

THE DIRECTION OF VECTOR SUM OF (3) AND (3), WHICH EXPLAINS THE 

OPTiMALiTY. Similar reasoning applies for rj-±. Bob infers to 

FROM measuring ??±+, AND Tl FROM MEASURING ??±-. 



Fig. 6 

(Pq^O'^I^J) ATTAINABLE BY PPT-PRESERVING MEASUREMENTS ON 

T0,1- 
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Fig. 8 

The inner curve bounds the region of (Po|o'Pi|i) attained by 

LOCC measurement on states to,i, and the outer curve 
bounds the region attained by ppt-preserving measurements 
(from Fig. 



